Receive alert 4 hours later

Follow

Network Support

• August 07, 2017 16:28

I have a weird issue of getting alert after 4 hours of the event. Logs in the device sending syslog has correct time. When i query in sumo, i see the event happened for example at 2 pm while the event actually happened at 10 AM in the morning which is 4 hours earlier. However, if i check r"use receipt time" in sumo query dashboard, i do see the logs at actual time. So, how do i generate alert with checked "use receipt time"?

0

• Official comment

  

  Graham Watts

  • August 07, 2017 16:44

  Hi There - this is likely a timezone issue. If you navigate to your collector management page (Manage Data > Collection) you will need to correct the syslog source's timezone by adjusting it to the timezone of the physical location those syslog messages are being generated in.
  
  Here is a screenshot for where to adjust:
  
  
  I hope this helps, let us know if you have additional questions here.
  
  Thanks,
  
  Graham

  Comment actions Permalink
• 

  Anil Baradia

  • September 06, 2017 06:26

  Even I am facing the same problem regarding time lag even after time zone modification. It is taking 20-30 minutes to reflect the logs in the dashboard. Is this time can be reducible?

  0

  Comment actions Permalink
• 

  Graham Watts

  • September 06, 2017 18:24

  Hey Anil,
  
  There are many reasons data might be delayed getting to Sumo Logic. What type of log is this?
  
  Here's a query you can try to see the difference between when the event was generated and when we received it:

  _sourceCategory=<Your_Category_here>

  | ((_receipttime - _messagetime)/1000)/60 as timediffmins
  | timeslice 5m
  | avg(timediffmins) by _timeslice

   

  1

  Comment actions Permalink

Please sign in to leave a comment.